OAuth WG

IETF119

Wednesday

Note-taker: Justin Richer, Pieter Kasselman

SD-JWT

Presentation:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-sessb-sd-jwt/

Brian gave an overview of the SD-JWT mechanisms

it's a hash-based mechanism for selective disclosure

aims to be easy to use for familiar algorithms

structure:

to reveal:

also a key-binding JWT (KB-JWT)

new since last time:

Open Issues:
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues

Discussion items

Next Steps:

Peter Liu: use cases for comparing age to threshold; is there an
algebraic formula for disclosure?

Brian: no, you can expose the whole birthday or add new claims like
age_over_21 and disclose only that

Richard: thanks to the authors, have pushed a ton of issues and they've
been great

Use of extra time:

  1. Mike - suggests not distinguising between SD-JWT and SD-JWT+KB.
    Richard asserts that it is required because security properties are
    different. Brian suggest clarification. Richard - guard against
    mistakes by implementors, make it hard to get confused. Mike - it is
    more than terminology. Using a different media type does not mean
    that there is a ky binding. The verification still has to be done
    seperately. Argument is that a media type does not guarunette
    correct implementation. Brian - media type is not intended to have
    security proerties or help with binding. John Bradly - it is
    dangerous to have the media type suggest a security property.
    Richard - Need to guide to different implementations because they
    have different security proeprties. John Bradly - talk anout them as
    seperate things makes snese. Different media types may not help.

OAuth 2.0 Protected Resource Metadata

Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-oauth-20-protected-resource-metadata/

Presenter: Mike Jones

What is this for? See the last presentation from IETF118

Change ssince 118:

All known issues are addressed

Time for WG Last Call?

Chairs: Will start WGLC after meeting

Kristina: how much implementation experience?

Mike: All OID Fed use it

Kristina: it's mandatory?
Mike: yes

Atul: This is useful in the context of SSF as well; this makes it
possible for RS to get a token far more capable than what it needs

Hannes: will you review during WGLC?

Browser-Based Apps BCP

Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-sessb-browser-based-apps-bcp/

Presenter: Aaron Parecki

What is it?

Major re-structuring (main changes)

Next Steps:

Chairs will issue WG LC
- Justin (already done, not doing it again), Tim Cappalli, Andy

Transaction Tokens

Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-sessb-transaction-tokens/

Presenter: George Fletcher

what is it?

changes:

Issues https://github.com/oauth-wg/oauth-transaction-tokens/issues

chairs:

Brian: you do declare a header, you need to to through the process

Atul: on header, good to decide, increase interop
Justin - Ask for early review from HTTP directorate. Can use
authorization header or custome header. George - May want to use it as
seperate header as authroization header is used for other purposes.

AJ Stein: Heads up to its authors, very minor thing: the transaction
tokens I-D in datatrack doesn't have the GitHub metadata on the page to
find the repo for this draft, so it could help to save me 1-2 Google
searches like the others (I lurk and getting my legs, not a frequent
OAUTH contributor yet or would have guessed the GH repo org).

https://github.com/oauth-wg/oauth-transaction-tokens/issues/72

Identity Chaining

Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-oauth-identity-and-authorization-chaining-across-domains-00

Presenter: Kelly

background:

solution:

claims transcription

changes

open issues
https://github.com/oauth-wg/oauth-identity-chaining/issues

Aaron: curious about send-constraining mechanism; is there anything
that's unique to this?

brian: there's a lot of variations, depending on who's calling who and
chaining what that make constraining really difficult

Pieter: we need to write down the scenarios and work through them one by
one; sometimes it's impossible and we need to be explicit why not

Identity Assertion Authorization Grant

Presenter: Aaron Parecki
Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-sessb-identity-assertion-authorization-grant-00

Profile of identity chaining across domains

context/problem:

Building blocks:

Why bother profiling?

not imposing any new restrictions to final access token response

status

George: sounds like we're bootstrapping on the id token to identify the
token and creating an access token off of that; in the sense of
accessing APIs

Atul: could this be a profile of identity chaining and not a separate
spec?

Pieter: we may see additional profiles, keeping it as a separate
document makes sense; I think we will see 2-3 more

Kristina: naming of the draft is confusing; aligning to make it more
clear

Atul: can this work also with SAML?

What are next steps for WG adoption?

Chairs: let this cook a little bit, expect more reviews for other
document; if you find people who are interested outside Okta, that would
be a good indication for call for adoption

SD-JWTs Part 2

Mike Jones: read the PR and commented on it; in my mind, an SD-JWT with
or without KB is an SD-JWT, not a new media type

Richard: in some degree it's an optional feature, but it gives you
different security features; we need to make sure that the verifier
knows what properties they're getting

Hannes: wouldn't an attacker just change the media type? similar to
attack in LAMPS; from LAMPS, couldn't we incorporate something in key
derivation?

richard: much like alg:none, if you arrange your policy you won't be
vulnerable, but people in practice don't arrange their policies

Mike: it's not just terminology, there's a different media type, and
it's extraneous; media type doesn't add security properties

John Bradley: SDJWT has a confirmation method, receiver has to verify;
that's what drives whether or not it's key-bound SDJWT

Brian: media type isn't meant to be validatation

John: stronger argument for media type is for requesting, than for
requiring checking confirmation

Richard: we should never have an interface that you should shove either
SD-JWT and SD-JWT-KB

Brian: confirmation claim isn't the only way to express it, not the only
way to drive checking KB, can also be on policy

John: both types will be received over the same flow by the verifier

Richard: it needs to

john: but it doesn't right now

Kristina: don't want to solely discuss on media types

Joe: being able to differentiate makes it clearer how to apply policy,
seems like a good idea

Mike: fine with clarity, don't need explicit syntax for it b/c you have
to check it

Kristina: then why do you need JWT types?

Mike: 'typ' value is part of the signed structure, but recipient only
gets value from it by checking it at runtime for checking it

Brian: media type is just naming to signal this

Kristina: specific example uses same value

Chairs Summary

Hope we have spare time to continue this!

Thursday

Notetaker: George Fletcher, Pieter Kasselman, Yaroslav Rosomakho

Interim OAuth WG meetings

SD-JWT VC

https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/
Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-sessc-sd-jwt-vc

Hannes: Where is the proposal? Daniel to share. Type metadata.

Questions:

Token Status List - Tobias/Paul/Christian (30 min)

https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/
Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-token-status-list

Questions:

Attestation-based Client Authentication - Tobias/Paul (20 min)

https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/

Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-attestation-based-client-authentication

Nonce Endpoint – Orie (20 min)

https://datatracker.ietf.org/doc/draft-demarco-oauth-nonce-endpoint/
Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-sessc-nonce-endpoint-status-attestations

Status Attestation – Orie (20 min)

https://datatracker.ietf.org/doc/draft-demarco-oauth-status-attestations/

Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-sessc-nonce-endpoint-status-attestations

JSON Fine Grained Access - Jiangcheng (10 min)

https://datatracker.ietf.org/doc/draft-zhang-jose-json-fine-grained-access/

Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-json-fine-grained-access

Friday

Notetaker: Mike Jones, Yaron Sheffer

Cross-Device Security

Pieter Kasselman presented about
https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/

Pieter summarized the problem being solved
Gave the example of QR-code based flows
Described attackers tricking the user
-05 added actionable guidance to implementers
(See the "How to use the draft" slide)
Top recommendation is to find a way to establish proximity
The draft enumerates formal methods evaluations on the topic
We need reviewers
Hannes asked whether we should start WGLC to elicit reviews
Pieter said that the purpose is to get feedback
Monty, Dean, Roy, Ralph, Hannes volunteered to review
Pieter plans to publish an update before the WGLC starts

OAuth 2.1

Aaron Parecki presented about
https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/

Aaron summarized changes since IETF 117
Aaron discussed confused implementations of ClientID+ClientSecret
encoding
He asked whether we should restrict the client_id and client_secret
syntax to alphanumerics only to avoid this mess completely
Filip Skokan said that implementations faithfully implementing RFC 6749
won't interoperate with Google
Yaron said that allowing characters beyond alphanumerics would be useful
for discovery of secrets in logs and code
George Fletcher asked about migration
Justin Richer said that even if we changed the alphabet, Google would
still be noncompliant
... It doesn't bite you until it does
... Using the Authorization Basic header lets people get away with
different things
... :shrug:

Mike J.: My former employers' client IDs include special characters and
they're unlikely to change that.
... Also, we kinda committed not to change the protocol is 2.1.
... The fact that people implement the spec incorrectly is orthogonal to
what the spec says.
Brian Campbell: people are prefixing their secrets. Also, people using
URIs as client ID.
... I am skeptical of this change.
Michael Fraser: In Open Banking Brazil, the Client ID is the base URI
for the Federation.
Filip: learned about prefixing of secrets. Most interoperable is to
encode everything except some set of chars. LEt's continue the
discussion on GH.
Mike J.: OpenId Fedederation also uses HTTPS URLs as Client IDs
... We need to keep the full character set
Aaron: more discussion to be had.
... Presented a proposed timeline, WGLC by IETF-121.
... Expects lots more work resolving open issues
... A lot of work remains
Hannes proposes a virtual interim in June. Aaron concurs.

Cedar Profile for RAR

Dean Saxe presented about
https://datatracker.ietf.org/doc/draft-cecchetti-oauth-rar-cedar/

Individual draft proposing a RAR profile for the Cedar authorization
language
Usama: please say more on formal methods. Sarah: this is on GH.

Sarah C.: Repository online at github.com/cedar-rust
Dean: Primary use case to standardize a Cedar policy set
... Presented a set of open questions
... This is the first profile on RAR
Yaron: It doesn't need to work for Open Banking
... At the high level, the draft needs to say to which areas this is
going to be applicable
George Fletcher: One possibility is to embed the Cedar syntax in my
access token.
... Take the RAR input and transform it into Cedar policies.
Ralph Bragg: ISO standardized a format for financial services
transactions.
... I can't see them updating these to adopt Cedar.
... In most cases the RS and AS are owned by the same domain.
... The Access Token is opaque to the RS.
... Introspection for a RS versus an RP is different.
... This can add complexity.
Brian: The whole idea of RAR was to provide a bucket that you can put
stuff in. What it is is indicated by a type field.
... Use cedar-policy.com as the type value
Justin Richer: The idea behind type in RAR is to specify what's in the
RAR data structure.
... I believe this is just syntactic massaging of what you already have.

Brian: Less syntactic is whether this makes sense.
... You can put Cedar policies in your Access Tokens without RAR.
... The idea behind RAR was to give the client a rich language to
express what it's requesting authorization for.
... I don't know that the client needs to be exposed to Cedar policies.

(There was back-and-forth between Dean and Brian about the nature of the
interactions between the components.)
Sarah: The client may not know what it has access to.
Brian: I'm still not clear on the need for the Client to express Cedar
policies. It feels like there's a disconnect. It's profiling the wrong
building block provided by OAuth.
... You don't need RAR to embed policies in the Access Token.
Brian: It feels more like an Access Token profile - maybe with a broader
scope.
... Enabling a flow between the AS and the RS.
Michael F: (Talked quickly about translating between things) Cedar is
probably too complex to use near the end user, and translate the Cedar
policy into UI. Reiterates that this is more appropriate inside of the
access token.
Pieter: This graph shouldn't be extensible to other policy languages.
... Are you planning to bring Cedar into the IETF to standardize here?
Dean: An open question is how to normatively refer to Cedar when it's
not standardized by an SDO.
Hannes: to be investigated.
Dima: The client doesn't need to know the policies. There is some
utility to sharing this information in a closed ecosystem.
... A bit of "why" could help.
Atul T: Policies can be longer lived.
Dean: As you know from the AuthZen WG, there's a lot of work on
externalizing authorization.
Hannes: This has triggered a good discussion. I suspect you have enough
information to update the document. We'll be coming back to this.

First-Party Apps

George Fletcher presented about
https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/

George described what is happening today.
Described flows, goals, and reusing existing things.
Proposes a new Authorization Challenge Endpoint.
.. Accepts parameters that would have been in the query string to the
Authorization Endpoint.
... Described why a new endpoint. PAR is very specific about how it's
used.
... Expected to be executed in a Web context.
... Described changes since IETF 118
Sent a message to the list about a generic OAuth POST request framework

... Didn't see any interest
Feel like spec is good enough to ask for WG adoption
... Could also describe how to use PassKeys for authentication
Hannes: I'll do a poll on who has read the draft.
... Yes: 5, No: 12, no opinion: 1
Hannes: Maybe we can recruit more reviewers, then do a call for adoption
on the mailing list.
Yaron: Are there specific implementations?
George: I don't know of specific implementations.
Yaron, Filip, and Ralph offered to review
Hannes: I'm reluctant to pull the trigger on adoption during the last
session, given low attendance and tired participants.
Brian: It feels like there's not a lot of reviewers and low energy, so a
call for adoption seems unwarranted.
Hannes: This feels like one of a series of recommendations for a
specific environment.
Brian: This is a whole new protocol. The other things like Browser-based
Apps were codifying existing practices.
... I did read the prior draft and my feedback has been largely
addressed.
... So I am involved.
Ralph: The industry is very lacking in guidance on first-party
applications. If anything, the need is getting more and more pressing.
... A standard to facilitate adoption would be great.
... There are four markets going live in the Middle East.
Roman: I'd like to see this problem solved. That said, I'd like it go
further before we do a call for adoption.
George: That's super helpful.

Global Token Revocation

Aaron Parecki presented about
https://datatracker.ietf.org/doc/draft-parecki-oauth-global-token-revocation/

He described apps and app backends
... This adds a new endpoint at the AS
The goal is a lightweight revocation endpoint
... There's no negotiation and no wiggle room
He did a survey of existing token revocation/logout standareds
... There's no standard doing what this is trying to achieve
Input to Global Token Revocation required to be authenticated
... Uses SecEvent subject representation
Outcome is that refresh tokens and access tokens are revokved
He enumerated changes made since IETF 118
There are implementations in progress
... He can only name Okta's at the moment
Aaron asked if it's time for working group adoption
Atul T: Can this be expressed as a profile of Shared Signals Framework
(SSF)?
Aaron: The main concern with that is that SSF has subtleties, versus
whereas this is started to be a clear signal causing a specific action.

... Signals from SSF could be part of the input to the decision engine
causing this command to be used.
Hannes: Only two people have read the document
.. It would be good to have people chime in the list about why they
think this is useful work

Signed JWKs

Richard Barnes presented about
https://github.com/bifurcation/redistributable-jwks/blob/main/draft-barnes-oauth-redistributable-jwks.md

He described the normal JWT lifecycle
... Relies on Web PKI
... Used by OpenID Connect
Seeing new patterns for Verifiable Creentials
What if the JWK Set is not available?
... It could be offline
... The key might not still be in the JWK Set
Stick an x5c in the header
Then can reason about whether the JWT is still valid
... No validate-time dependency
Mike Jones helpfully pointed out that OpenID Federation uses Signed JWTs

... The only difference is the x5c
... Redistributable proof of authority
It maps to a lot of use cases
It's super-early stuff
... It's in a repot - no published draft yet
Roy: There's a lot of overlap with what's being done by SCITT
... How do you do revocation in this model?
Richard: This is using an intermediate certification
... And you can do certificate-based revocation

Justin: What's the difference between just using the certificate and
using the signed JWK Set?
Richard: There's a discussion of this in the document
... We want to not perturb the JWTs that are already out there
Justin: So the x5c is effectiely the CA? RB: yes.
Mike J.: I've read the draft and agree with parts of it
... People have been using signed JWK for at least 8 years
... The Signed JWK Sets are similar to those in OpenID Federation
... The draft title should highlight that the innovation is that it
defines a way to validate a JWT issuer using a PKIX cert but not TLS
Rohan: I've been thinking about writing a draft like this for a while.
... In response to the revocation question, the cert could contain a CRL
revocation point, which you would check in the normal way
... The most important thing that we're dancing around is "Why do you
want to unlink the identity from the WebPKI?"
... What's done in the OAuth WG is provide a way to do authorization
using WebPKI
... I think it's useful